CTO Straight Talk - Issue 2 - 55

Let's turn from security to privacy. How
are the two linked?
You can't have privacy without security. If our personal
spaces and records are not secure, we have less
privacy-we feel exposed and vulnerable, less secure.
Fundamentally, the argument for privacy is a moral
one. It is something we ought to have-not because it is
profitable or efficient, but because it is moral.

Traditionally, companies have been
paying less attention to privacy
concerns than to security threats. Is
this changing?
We are seeing the rising importance of customer and
user privacy in an increasing number of corporations.
Many now have Chief Privacy Officers, senior executives
responsible for managing the legal and reputational
risk of the personal data the corporation holds. These
executives are establishing rules and regulations even in
the absence of government mandate. They're doing this
actions like sending spam out to millions of e-mail
addresses, hoping that someone will fall for it and click
on a poisoned link. I think of them as the background
radiation of the Internet.
High-skill, low-focus attacks are more serious. These
include the more sophisticated attacks using newly
discovered "zero-day" vulnerabilities in software,

because it's good for business.

The Sony attack made clear the
link between security and privacy,
when hundreds of private e-mails
and personal information of Sony's
employees were made public.

systems, and networks. This is the sort of attack that

While companies need to improve their security against

affected Target, JPMorgan Chase, and most of the other

attacks, there's another equally important but much-

commercial networks that you've heard about in the past

less-discussed lesson here-companies should have an

year or so.

aggressive deletion policy. Everything is now digital, and

Even scarier are the high-skill, high-focus attacks-the
type that hit Sony. Low-focus attacks are easier to
defend against: If Home Depot's systems had been better
protected, the hackers would have just moved on to
an easier target. With attackers who are highly skilled
and highly focused, however, what matters is whether a
targeted company's security is superior to the attacker's
skills, not just to the security measures of other

storage is cheap-so why not save it all? But saving data,
especially e-mail and informal chats, is a liability. It's
also a security risk: the risk of exposure. The exposure
could be accidental. It could be the result of data
theft, as happened to Sony. Or it could be the result of
litigation. Whatever the reason, the best security
against these eventualities is not to have the data in
the first place.

companies. Often, it isn't. We're much better at relative

If Sony had had an aggressive data deletion policy,

security than we are at absolute security.

much of what was leaked couldn't have been stolen

CTO Straight Talk | 55


Table of Contents for the Digital Edition of CTO Straight Talk - Issue 2


CTO Straight Talk - Issue 2